August. 09, 2018 posted by Foehn
A few weeks back, we posted a blog on PCI-DSS compliance, focusing on the significant number of smaller businesses that haven’t taken steps to implement PCI requirements. In particular, we highlighted the popular but non-compliant practice of ‘pause and resume’ as a quick fix that attempts to hide financial details of the customer from the agent and from the call recording.
The routine requires the agent to manually pause the call at the moment the customer provides financial details, then resumes the call when the customer has finished. Alternatively, the process can be programmed to provide automated pause and resume, in response to certain triggers.
Either way, this approach is dangerously prone to human error and system glitches that can breach regulations, incur severe financial penalties and, not least, damage reputation.
For example, working under the pressure of a busy call centre environment, it’s more than possible that an agent could forget to pause a call, allowing a customer’s financial data to be recorded and stored illegally. In turn this invites the threat of hackers or less trustworthy employees breaching internal security and accessing the data for fraudulent purposes.
Ultimately, it’s often possible for an agent to hear and note the payment details whilst the recording is on pause, then use the details illegally. A recent survey1 suggests that when a customer is entering payment details, as many as 43% of agents are able to see or hear them. Furthermore, historical recordings are accessible to 70% of employees and some 35% of supervisors admit to listening to recordings. Disturbingly, 90% of these recordings contain customer confidential information and nearly a third contain financial data.
Whilst this widescale access to historical recordings is normally intended for staff training or resolving specific customer issues, it also presents an astonishingly simple route to fraud. In fact, a survey2 carried out in 2017 estimated that 79% of card-not-present fraud comes from ‘an insider’ rather than an external source.
Against this clear background of widespread non-compliance, it’s surprising to see that three quarters of those surveyed believe they are already compliant with PCI-DSS. So what’s going on? Are UK businesses not practicing what they preach? Are they confused or are they simply lying? The answer comes with one last finding. Asked, ‘To what level is your organisation PCI-DSS compliant?’, more than 80% didn’t know.
Here lies the problem with PCI. It’s a complex set of regulations, it is regularly updated with new requirements and vendors of compliance solutions are sending out mixed messages on what conforms and what doesn’t. Businesses are faced with employing specialists to unravel the answers but, for the SME at least, the cost of consultancy fees or a full-time compliance manager can be prohibitive.
At Foehn we are very conscious of the challenges presented by PCI compliance and, during the course of providing our contact centre solutions, we go to great lengths to fully understand the client’s working practices and security arrangements.
Importantly, we also work with systems that, from the outset, completely eliminate agents and infrastructure from the scope of PCI-DSS assessment, greatly simplifying the compliance task. Callers enter their own card details using a telephone keypad and the system masks the DTMF tones, ensuring agents are not exposed to any card information and preventing payment details from entering the contact centre system.
In line with our philosophy for all our development work, this solution removes complexity, leaving a simpler, more affordable result. If you’re investing in a new system or you’re concerned about compliance of your existing system, check out our buyers guide.
Sources: 1UKCCF survey 2018 2Kroll Global Fraud & Risk Report 2016-2017